Security Certification Roadmap

If you are looking at this post right now, it is highly likely you are trying to break into information security or looking for guidance where to go next. Welcome and remember that over the years, certifications will change but the advice will remain fairly consistent.

There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)

Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.

Entry-Level (0-2 years):
The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.

CompTIA Network+ -> Security+ (A+ = optional before Network+):
These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.

::Optional::
Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.

Cisco CCENT -> CCNA:R&S:
As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).

Microsoft MCSA - Server:
Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.

CompTIA Linux+:
Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.

Specialization (2+ years):
I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.

In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).

Management (4-5+ years):
Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.

(ISC)2 CISSP -> ISACA CISM

These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.

DEGREES:
Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.

Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.

For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.

One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.

**GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**

Comments

Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.

timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mkuIf evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - EpictetusThe only real failure in life is not to be true to the best one knows. - BuddhaIf you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown

Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.

Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.

It is really like many careers where you start with foundational knowledge (the base of a pyramid) and as you progress you start to narrow what you know and specialize.

You're welcome...I hope this post helps people. Frequently people ask about what certification they should get and when...and then how does a degree fit into the equation but the posts are kind of scattered. I wanted to give something that outlines the basics and the timeframes to shift their focus.

Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.

Specialization can definitely be tough because many of us want to learn several areas. In reality, if you want to truly be great you have to decide and not be afraid to change if needed. There is nothing wrong with going down one path then switching. The only caveat is that it could be more difficult to come back from management because you are unlikely to be getting hands on with the technology...but not impossible.

With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.

As any roadmap or framework provides a tool to help guide people. Are there more certifications and paths that exist? Obviously...R&D, reverse engineering, etc...but one post won't cover an entire industry because that discussion would last a long long time. The post was meant to give guidance...not a magic bullet that's for Google and deeper more focused posts.

Additionally, the above certifications are what show up in job postings the most. Getting past HR with known certifications is a major part of job hunting.

Reasons:
- If you are already in Security your company might/should be willing to pay for them.
- There is a work study program most people can afford
or (less likely)
- They person might have a sack of money laying around to invest in them

Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.

Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.

Levels vary by organization, and the experience one receives. The main point is to get those certifications and keep moving on up. Being conservative on time requirements is better than being very aggressive and failing.

Great post/thread. I'll add that for systems/OS security, MCSA/MCSE or RHCSA/Linux+ are just as relevant as CCNA/P:S are for network security.

Yes network security is very important but these days if you think firewalls, IPS, NAC, segmentation, etc., are enough you're gonna get owned a lot. Hackers attack endpoints and end users without needing to circumvent a network perimeter (if that even really exists anymore) all day every day. Just sayin'.

I'm trying to specialise in pen testing and I'm in the entry level stage cert route right now.

What do you think about CCENT --> Sec+ --> CCNA Security as an alternative to the net+ --> sec+ route?

I feel like if I take the CCNA security route though I'll be spending time in the net sec world more than I need to be. Then again, I was told it would be a better career boost than the comp tia path you mentioned as applying to info sec jobs would be relatively easier. Any thoughts on that?

Cisco has said that people who take Network+ generally do a little better than those without it. At this point I would say it depends on how comfortable you feel self studying.

Do you have any experience? These days I would be more likely to recommend getting CCNA + MCSA, and then get Security+. If you want to have pen testing as a speciality, CCNA:Security isn't going to benefit you too much...but having networking and OS knowledge will be valuable. Then once you complete those 3 you will have the foundation knowledge and can start down the pen testing route somewhere around 2 years.

I have a conundrum. I had classes for the CCNA but I plan on going into information security. I have also had security+ and CCNA security classes. I am working on a BAS in Information Assurance which is an MIS type degree. So according to what I see for those going into infosec they recommend your route. (I don't know what I will eventually be specializing in.) In your opinion, do I switch cert exams from CCNA to Net+? Should I try CCENT + CCNA Sec?

Honestly I would do MCSA > CCNA:R&S...this gives you your foundation, then Security+ > CCNA:Security. I like the CCNA:Security after a small gap because it pushes your expiration date out further and it really focuses on network security instead of being a broad exposure like Security+.

My opinion on the subject has changed a little since I wrote this post.

Although I do not agree with some of your cert ideas to cover an entire spectrum of some security topics here, I do not come to rationalize or argue the point. So I am not going to criticize you, so it is better to help here

However a cert based "security" guide , especially one with a lot of vendor based (cisco/microsoft) is always going to be tough as not all important security related skills are covered.

The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.

The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.

Ah I see, wow 2015 seems so long ago. I did not realize that someone brought this topic back to life :P

A person with 2 years experience under their belt will be very hard-pressed to get a CCIE Security, just sayin'.
A CCIE in any track requires a significant investment of time, and a solid technical background that is nearly impossible to obtain within such a relatively short time frame.

Great post, only problem I see is that for the CISA certification you need to be able to verify 5 years of experience in either Information Systems, Security, or Auditing. So the 2+ years doesn't really align with that. CISA is considered by many a management level cert anyway. It just focuses on technical abilities rather than the Management overview. I just feel like the CISA should be placed in the 4-5+ years section of your post, because of the required experience to earn the certification. Sure you can take the exam without the experience, but you must gain that experience within 10 years of passing the exam.

That's fair...there is always the debate with certs like CISA and CISSP whether to take them before you have the experience or not. Honestly most Information Security jobs can apply to the CISA domains so I don't really see the 10 year mark being a big issue. The job somebody has a lot of impact on which certifications people go for so it's one of those "it depends" arguments.